From patchwork Tue May 18 15:10:11 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Malov <Ivan.Malov@oktetlabs.ru>
X-Patchwork-Id: 93307
X-Patchwork-Delegate: ferruh.yigit@amd.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 46FDCA0A02;
	Tue, 18 May 2021 17:10:23 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 06F3F4068E;
	Tue, 18 May 2021 17:10:23 +0200 (CEST)
Received: from shelob.oktetlabs.ru (shelob.oktetlabs.ru [91.220.146.113])
 by mails.dpdk.org (Postfix) with ESMTP id 31E9F40041;
 Tue, 18 May 2021 17:10:21 +0200 (CEST)
Received: from localhost.localdomain (unknown [5.144.120.183])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by shelob.oktetlabs.ru (Postfix) with ESMTPSA id B14897F53B;
 Tue, 18 May 2021 18:10:20 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 shelob.oktetlabs.ru B14897F53B
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=oktetlabs.ru;
 s=default; t=1621350620;
 bh=GgnoTAxNcaP9JJkQhOe3VuSd0X2hIIu769OrN15zzFU=;
 h=From:To:Cc:Subject:Date;
 b=kvJA49hE+7qnFLcAiD8TcZyfRk5uNE18fxtX4nLtfdRd8fZPw1PjxBsv89F+QoIcn
 eT+wSvIHfKCwigOHhq7apCQKPMqwLbgbPuOdPi7JYQ1jwUMBIJOpSPtff2K/yeC0lY
 JveynmtDkvX7atgsT5+CM8VnhdvhFW2a9AQbhyOg=
From: Ivan Malov <ivan.malov@oktetlabs.ru>
To: dev@dpdk.org
Cc: Andy Moreton <amoreton@xilinx.com>, stable@dpdk.org,
 Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>,
 Ferruh Yigit <ferruh.yigit@intel.com>
Date: Tue, 18 May 2021 18:10:11 +0300
Message-Id: <20210518151012.14277-1-ivan.malov@oktetlabs.ru>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [dpdk-dev] [PATCH 1/2] common/sfc_efx/base: limit reported MCDI
 response length
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Andy Moreton <amoreton@xilinx.com>

MCDI helper routines in libefx include length checks for response
messages, to ensure that short replies and optional fields are
handled correctly.

If the MCDI response message from the firmware is larger than the
caller's buffer then the response length reported to the caller
should be limited to the buffer size. Otherwise length checks in
the caller may allow reading past the end of the buffer.

Fixes: 6f619653b9b1 ("net/sfc/base: import MCDI implementation")
Cc: stable@dpdk.org

Signed-off-by: Andy Moreton <amoreton@xilinx.com>
Signed-off-by: Ivan Malov <ivan.malov@oktetlabs.ru>
Reviewed-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
 drivers/common/sfc_efx/base/efx_mcdi.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/common/sfc_efx/base/efx_mcdi.c b/drivers/common/sfc_efx/base/efx_mcdi.c
index ff676f8a0..f4e1384d0 100644
--- a/drivers/common/sfc_efx/base/efx_mcdi.c
+++ b/drivers/common/sfc_efx/base/efx_mcdi.c
@@ -516,6 +516,9 @@ efx_mcdi_finish_response(
 	bytes = MIN(emrp->emr_out_length_used, emrp->emr_out_length);
 	efx_mcdi_read_response(enp, emrp->emr_out_buf, resp_off, bytes);
 
+	/* Report bytes copied to caller (response message may be larger) */
+	emrp->emr_out_length_used = bytes;
+
 #if EFSYS_OPT_MCDI_LOGGING
 	if (emtp->emt_logger != NULL) {
 		emtp->emt_logger(emtp->emt_context,

From patchwork Tue May 18 15:10:12 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Malov <Ivan.Malov@oktetlabs.ru>
X-Patchwork-Id: 93308
X-Patchwork-Delegate: ferruh.yigit@amd.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id DF44BA0A02;
	Tue, 18 May 2021 17:10:30 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 3402A41106;
	Tue, 18 May 2021 17:10:25 +0200 (CEST)
Received: from shelob.oktetlabs.ru (shelob.oktetlabs.ru [91.220.146.113])
 by mails.dpdk.org (Postfix) with ESMTP id 861414068E;
 Tue, 18 May 2021 17:10:21 +0200 (CEST)
Received: from localhost.localdomain (unknown [5.144.120.183])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by shelob.oktetlabs.ru (Postfix) with ESMTPSA id 0F7667F593;
 Tue, 18 May 2021 18:10:21 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 shelob.oktetlabs.ru 0F7667F593
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=oktetlabs.ru;
 s=default; t=1621350621;
 bh=CpEOaeGz46GKgIaE/RvZb6Sdg5uwQQ/rFAU+tL/1vG4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vP3j/ktMmbr5RAG1M/fLA/M56FFmIEzguIA9nCnaWIXyLhtykq2RTyqYoWebgcgC9
 GMDSaGxa5/2inqwOA7Ir/WTjalmJ5jtutg0HyNdoLYCBKCrIOaIAg9XqgeDNREo42c
 UNBAfjwEBEYlTabpSqsf43Vy2viJNx5+9r7QSmDQ=
From: Ivan Malov <ivan.malov@oktetlabs.ru>
To: dev@dpdk.org
Cc: Andy Moreton <amoreton@xilinx.com>, stable@dpdk.org,
 Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>,
 Ferruh Yigit <ferruh.yigit@intel.com>
Date: Tue, 18 May 2021 18:10:12 +0300
Message-Id: <20210518151012.14277-2-ivan.malov@oktetlabs.ru>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210518151012.14277-1-ivan.malov@oktetlabs.ru>
References: <20210518151012.14277-1-ivan.malov@oktetlabs.ru>
MIME-Version: 1.0
Subject: [dpdk-dev] [PATCH 2/2] common/sfc_efx/base: add missing MCDI
 response length checks
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Andy Moreton <amoreton@xilinx.com>

Fixes: 6f619653b9b1 ("net/sfc/base: import MCDI implementation")
Fixes: e7cd430c864f ("net/sfc/base: import SFN7xxx family support")
Fixes: 94190e3543bf ("net/sfc/base: import SFN8xxx family support")
Fixes: 34285fd0891d ("common/sfc_efx/base: add match spec validate API")
Fixes: e61baa82e64b ("common/sfc_efx/base: add MAE action set provisioning APIs")
Fixes: b4fac34715f2 ("common/sfc_efx/base: add MAE action rule provisioning APIs")
Fixes: ed15d7f8e064 ("common/sfc_efx/base: validate and compare outer match specs")
Fixes: 7a673e1a4a05 ("common/sfc_efx/base: support outer rule provisioning")
Cc: stable@dpdk.org

Signed-off-by: Andy Moreton <amoreton@xilinx.com>
Signed-off-by: Ivan Malov <ivan.malov@oktetlabs.ru>
Reviewed-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
 drivers/common/sfc_efx/base/ef10_filter.c | 11 ++++-
 drivers/common/sfc_efx/base/ef10_nic.c    | 10 ++++-
 drivers/common/sfc_efx/base/efx_mae.c     | 52 +++++++++++++++++++----
 drivers/common/sfc_efx/base/efx_mcdi.c    |  7 +++
 4 files changed, 69 insertions(+), 11 deletions(-)

diff --git a/drivers/common/sfc_efx/base/ef10_filter.c b/drivers/common/sfc_efx/base/ef10_filter.c
index 0c99d4b74..ac6006c9b 100644
--- a/drivers/common/sfc_efx/base/ef10_filter.c
+++ b/drivers/common/sfc_efx/base/ef10_filter.c
@@ -1225,20 +1225,25 @@ efx_mcdi_get_parser_disp_info(
 		goto fail1;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_GET_PARSER_DISP_INFO_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail2;
+	}
+
 	matches_count = MCDI_OUT_DWORD(req,
 	    GET_PARSER_DISP_INFO_OUT_NUM_SUPPORTED_MATCHES);
 
 	if (req.emr_out_length_used <
 	    MC_CMD_GET_PARSER_DISP_INFO_OUT_LEN(matches_count)) {
 		rc = EMSGSIZE;
-		goto fail2;
+		goto fail3;
 	}
 
 	*list_lengthp = matches_count;
 
 	if (buffer_length < matches_count) {
 		rc = ENOSPC;
-		goto fail3;
+		goto fail4;
 	}
 
 	/*
@@ -1258,6 +1263,8 @@ efx_mcdi_get_parser_disp_info(
 
 	return (0);
 
+fail4:
+	EFSYS_PROBE(fail4);
 fail3:
 	EFSYS_PROBE(fail3);
 fail2:
diff --git a/drivers/common/sfc_efx/base/ef10_nic.c b/drivers/common/sfc_efx/base/ef10_nic.c
index 531365e42..eda0ad306 100644
--- a/drivers/common/sfc_efx/base/ef10_nic.c
+++ b/drivers/common/sfc_efx/base/ef10_nic.c
@@ -491,11 +491,17 @@ efx_mcdi_get_rxdp_config(
 	req.emr_out_length = MC_CMD_GET_RXDP_CONFIG_OUT_LEN;
 
 	efx_mcdi_execute(enp, &req);
+
 	if (req.emr_rc != 0) {
 		rc = req.emr_rc;
 		goto fail1;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_GET_RXDP_CONFIG_OUT_LEN) {
+		rc = EMSGSIZE;
+		goto fail2;
+	}
+
 	if (MCDI_OUT_DWORD_FIELD(req, GET_RXDP_CONFIG_OUT_DATA,
 				    GET_RXDP_CONFIG_OUT_PAD_HOST_DMA) == 0) {
 		/* RX DMA end padding is disabled */
@@ -514,7 +520,7 @@ efx_mcdi_get_rxdp_config(
 			break;
 		default:
 			rc = ENOTSUP;
-			goto fail2;
+			goto fail3;
 		}
 	}
 
@@ -522,6 +528,8 @@ efx_mcdi_get_rxdp_config(
 
 	return (0);
 
+fail3:
+	EFSYS_PROBE(fail3);
 fail2:
 	EFSYS_PROBE(fail2);
 fail1:
diff --git a/drivers/common/sfc_efx/base/efx_mae.c b/drivers/common/sfc_efx/base/efx_mae.c
index 80fe155d0..c1784211e 100644
--- a/drivers/common/sfc_efx/base/efx_mae.c
+++ b/drivers/common/sfc_efx/base/efx_mae.c
@@ -109,17 +109,22 @@ efx_mae_get_outer_rule_caps(
 		goto fail2;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_MAE_GET_OR_CAPS_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail3;
+	}
+
 	mcdi_field_ncaps = MCDI_OUT_DWORD(req, MAE_GET_OR_CAPS_OUT_COUNT);
 
 	if (req.emr_out_length_used <
 	    MC_CMD_MAE_GET_OR_CAPS_OUT_LEN(mcdi_field_ncaps)) {
 		rc = EMSGSIZE;
-		goto fail3;
+		goto fail4;
 	}
 
 	if (mcdi_field_ncaps > field_ncaps) {
 		rc = EMSGSIZE;
-		goto fail4;
+		goto fail5;
 	}
 
 	for (i = 0; i < mcdi_field_ncaps; ++i) {
@@ -147,6 +152,8 @@ efx_mae_get_outer_rule_caps(
 
 	return (0);
 
+fail5:
+	EFSYS_PROBE(fail5);
 fail4:
 	EFSYS_PROBE(fail4);
 fail3:
@@ -191,17 +198,22 @@ efx_mae_get_action_rule_caps(
 		goto fail2;
 	}
 
-	mcdi_field_ncaps = MCDI_OUT_DWORD(req, MAE_GET_OR_CAPS_OUT_COUNT);
+	if (req.emr_out_length_used < MC_CMD_MAE_GET_AR_CAPS_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail3;
+	}
+
+	mcdi_field_ncaps = MCDI_OUT_DWORD(req, MAE_GET_AR_CAPS_OUT_COUNT);
 
 	if (req.emr_out_length_used <
 	    MC_CMD_MAE_GET_AR_CAPS_OUT_LEN(mcdi_field_ncaps)) {
 		rc = EMSGSIZE;
-		goto fail3;
+		goto fail4;
 	}
 
 	if (mcdi_field_ncaps > field_ncaps) {
 		rc = EMSGSIZE;
-		goto fail4;
+		goto fail5;
 	}
 
 	for (i = 0; i < mcdi_field_ncaps; ++i) {
@@ -229,6 +241,8 @@ efx_mae_get_action_rule_caps(
 
 	return (0);
 
+fail5:
+	EFSYS_PROBE(fail5);
 fail4:
 	EFSYS_PROBE(fail4);
 fail3:
@@ -1773,15 +1787,22 @@ efx_mae_outer_rule_remove(
 		goto fail2;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_MAE_OUTER_RULE_REMOVE_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail3;
+	}
+
 	if (MCDI_OUT_DWORD(req, MAE_OUTER_RULE_REMOVE_OUT_REMOVED_OR_ID) !=
 	    or_idp->id) {
 		/* Firmware failed to remove the outer rule. */
 		rc = EAGAIN;
-		goto fail3;
+		goto fail4;
 	}
 
 	return (0);
 
+fail4:
+	EFSYS_PROBE(fail4);
 fail3:
 	EFSYS_PROBE(fail3);
 fail2:
@@ -2176,15 +2197,22 @@ efx_mae_action_set_free(
 		goto fail2;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_MAE_ACTION_SET_FREE_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail3;
+	}
+
 	if (MCDI_OUT_DWORD(req, MAE_ACTION_SET_FREE_OUT_FREED_AS_ID) !=
 	    aset_idp->id) {
 		/* Firmware failed to free the action set. */
 		rc = EAGAIN;
-		goto fail3;
+		goto fail4;
 	}
 
 	return (0);
 
+fail4:
+	EFSYS_PROBE(fail4);
 fail3:
 	EFSYS_PROBE(fail3);
 fail2:
@@ -2326,15 +2354,23 @@ efx_mae_action_rule_remove(
 		goto fail2;
 	}
 
+	if (req.emr_out_length_used <
+	    MC_CMD_MAE_ACTION_RULE_DELETE_OUT_LENMIN) {
+		rc = EMSGSIZE;
+		goto fail3;
+	}
+
 	if (MCDI_OUT_DWORD(req, MAE_ACTION_RULE_DELETE_OUT_DELETED_AR_ID) !=
 	    ar_idp->id) {
 		/* Firmware failed to delete the action rule. */
 		rc = EAGAIN;
-		goto fail3;
+		goto fail4;
 	}
 
 	return (0);
 
+fail4:
+	EFSYS_PROBE(fail4);
 fail3:
 	EFSYS_PROBE(fail3);
 fail2:
diff --git a/drivers/common/sfc_efx/base/efx_mcdi.c b/drivers/common/sfc_efx/base/efx_mcdi.c
index f4e1384d0..f226ffd92 100644
--- a/drivers/common/sfc_efx/base/efx_mcdi.c
+++ b/drivers/common/sfc_efx/base/efx_mcdi.c
@@ -2294,6 +2294,11 @@ efx_mcdi_get_workarounds(
 		goto fail1;
 	}
 
+	if (req.emr_out_length_used < MC_CMD_GET_WORKAROUNDS_OUT_LEN) {
+		rc = EMSGSIZE;
+		goto fail2;
+	}
+
 	if (implementedp != NULL) {
 		*implementedp =
 		    MCDI_OUT_DWORD(req, GET_WORKAROUNDS_OUT_IMPLEMENTED);
@@ -2305,6 +2310,8 @@ efx_mcdi_get_workarounds(
 
 	return (0);
 
+fail2:
+	EFSYS_PROBE(fail2);
 fail1:
 	EFSYS_PROBE1(fail1, efx_rc_t, rc);